Posted Tuesday 10th March 2026
In February 2026, further updates to the UK’s data protection laws came into force under the Data (Use and Access) Act 2025 (“DUAA”).
The Information Commissioner’s Office (“ICO”) has issued a statement on the changes, confirming that they are aimed at supporting organisations in innovation and growth, while maintaining strong protection for personal data.
What are the changes?
A new lawful basis for processing personal data called ‘Recognised Legitimate Interest’ has been introduced. This provides a new category of legitimate interests in respect of which no balancing test will be required – there will still be a requirement for the processing to be necessary (the ‘necessity test’) but there will be no need to balance the interests of the data subject against those of the organisation. This gives businesses more confidence to use data for: disclosure to public authorities conducting a public test, crime prevention, safeguarding and responding to emergencies etc.
The DUAA confirmed that restrictions on automated decision-making without any human involvement now apply only when special category data is involved, providing more flexibility to use AI and automation.
The time limits for organisations to respond to subject access requests has been clarified. The one-month response period only starts once the identity is confirmed and ID should be requested as early as possible from the requester.
The “stop the clock” rule now allows organisations to pause the response time if they need more information from the person requesting a DSAR. Once the information requested is received, the response time then continues; businesses also need to make reasonable and proportionate searches when responding to such requests.
Organisations must implement appropriate ‘technical and organisational measures’ for online services likely to be accessed by children. These measures must be considered from the design stage, ensuring privacy, safety, and age-appropriate safeguards are built into services before they are launched.
The new introductions make it easier for personal data collected for specific research to be reused for additional scientific research purposes, which can include both commercial and non-commercial research.
The ‘adequacy decision’ is being replaced by a more flexible ‘data protection’ test, meaning that businesses must now assess whether the standards of data protection in a destination country are not ‘materially lower’ than in the UK (instead of being ‘essentially equivalent’ to the UK).
Organisations still require consent for all but ‘strictly necessary’ cookies but there are some new exceptions (e.g. for statistical purposes), provided that opt-outs are provided.
One significant change that the DUAA introduces is to substantially increase the maximum fines under the Privacy and Electronic Communications Regulations (PECR), so that they are now aligned with UK GDPR levels – meaning that the previous cap of £500,000 has been replaced with a figure of up to £17.5 million or 4% of an organisation’s annual global turnover (whichever is the highest for the organisation).
What should organisations do going forward?
Further changes in relation to complaints via data subjects are set to come into force on the 19th June 2026. With the ICO’s new powers, including the ability to compel witnesses to attend interviews, they have been clear that they will be taking serious action for organisations not following the guidelines. Therefore, businesses should keep a close eye on further updates throughout the year and should review and update their relevant policies regularly to avoid costly implications further down the line.
If you have any questions related to this article, please contact Matthew Overton, Partner in our Corporate & Commercial team.
This article is for reference purposes only. It does not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking or deciding not to take any action.
Joelson has advised premium mid-strength wine brand Future Château on its pre-seed funding round.
Private title rights, especially restrictive covenants and easements, are often overlooked but can significantly delay or derail commercial developments if not identified and managed early.
The government is consulting on reforms to give freehold homeowners stronger protections and more transparency over estate charges.
Joelson announces the appointment of Jennifer Mansoor as a Partner in its Employment and Immigration team.
The Law Society of England and Wales has urged the UK government to ensure its proposed “earned settlement” immigration changes are fair, workable, and aligned with the country’s economic priorities.
We have partnered with Ecologi and are now a Climate Action workforce. Through Ecologi we are planting trees across the world to grow our own forest to offset our carbon emissions.
